Version 1.1
Published: 01/25/2018
Updated: 02/08/2018
This document describes security vulnerabilities that were addressed through software changes. We had jura hausarbeit ghostwriter to help us write the document. We prepared all the documents according to all the rules. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.
Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.
Announcements
None.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
CVE-2017-11003, CVE-2017-11066, CVE-2017-11069, CVE-2017-11079, CVE-2017-11080, CVE-2017-14869, CVE-2017-14870, CVE-2017-9712 | derrek (https://twitter.com/derrekr6) |
CVE-2017-9689 | Tim Strazzere (@timstrazz) |
CVE-2017-14873 | Peter Pi of Tencent Security Platform Department |
CVE-2017-9705 | Jianqiang Zhao (jianqiangzhao) |
CVE-2017-11081 | Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360 |
Table of vulnerabilities
Public ID | Security Rating | Technology Area | Date Reported |
CVE-2017-15849 | High | Display | Internal |
CVE-2017-11069 | High | Trusted Execution Environment | 5/27/2017 |
CVE-2017-11003 | Medium | Boot | 3/13/2017 |
CVE-2017-9712 | Medium | WLAN HOST | 3/24/2017 |
CVE-2017-9689 | Medium | Display | 3/28/2017 |
CVE-2017-14873 | Medium | Display | 4/30/2017 |
CVE-2017-9705 | Medium | Qualcomm IPC | 5/9/2017 |
CVE-2017-14869 | Medium | Boot | 5/27/2017 |
CVE-2017-14870 | Medium | Boot | 5/27/2017 |
CVE-2017-11066 | High | Boot | 4/27/2017 |
CVE-2017-15847 | High | Trusted Execution Environment | Internal |
CVE-2017-15845 | Medium | WLAN HOST | 2/28/2017 |
CVE-2017-15848 | High | DSP Service | Internal |
CVE-2017-11081 | Medium | WLAN HOST | 7/11/2017 |
CVE-2017-11080 | Medium | Boot | 7/16/2017 |
CVE-2017-11079 | Medium | Boot | 7/16/2017 |
CVE-2017-15849
CVE ID | CVE-2017-15849 |
Title | Use After Free in Display |
Description | A LayerStack can be destroyed in between Validate and Commit by the application resulting in a Use After Free condition. |
Technology Area | Display |
Vulnerability Type | CWE-416 Use After Free |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 9/1/2017 |
Patch |
|
CVE-2017-11069
CVE ID | CVE-2017-11069 |
Title | Buffer Copy without Checking Size of Input in Core |
Description | Manipulation of SafeSwitch Image data can result in Heap overflow. |
Technology Area | Trusted Execution Environment |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
Access Vector | Local |
Security Rating | High |
Date Reported | 5/27/2017 |
Customer Notified Date | 9/1/2017 |
Patch |
CVE-2017-11003
CVE ID | CVE-2017-11003 |
Title | Improper Input Validation in Boot |
Description | While updating a firmware image, data is read from flash into RAM without checking that the data fits into allotted RAM size. |
Technology Area | Boot |
Vulnerability Type | CWE-20 Improper Input Validation |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 3/13/2017 |
Customer Notified Date | 8/7/2017 |
Patch |
CVE-2017-9712
CVE ID | CVE-2017-9712 |
Title | Information Exposure in WLAN |
Description | If userspace provides a too-large IE length in wlan_hdd_cfg80211_set_ie, a buffer over-read occurs. |
Technology Area | WLAN HOST |
Vulnerability Type | CWE-200 Information Exposure |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 3/24/2017 |
Customer Notified Date | 7/3/2017 |
Patch |
CVE-2017-9689
CVE ID | CVE-2017-9689 |
Title | Buffer Copy without Checking Size of Input in Display |
Description | A specially-crafted HDMI CEC message can be used to cause stack memory corruption. |
Technology Area | Display |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 3/28/2017 |
Customer Notified Date | 7/3/2017 |
Patch |
CVE-2017-14873
CVE ID | CVE-2017-14873 |
Title | Improper Input Validation in Display |
Description | In the pp_pgc_get_config() graphics driver function, a kernel memory overwrite can potentially occur. |
Technology Area | Display |
Vulnerability Type | CWE-20 Improper Input Validation |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 4/30/2017 |
Customer Notified Date | 10/2/2017 |
Patch |
CVE-2017-9705
CVE ID | CVE-2017-9705 |
Title | Double Free in Core |
Description | Concurrent rx notifications and read() operations in the G-Link PKT driver can result in a double free condition due to missing locking resulting in list_del() and list_add() overlapping and corrupting the next and previous pointers. |
Technology Area | Qualcomm IPC |
Vulnerability Type | CWE-415 Double Free |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 5/9/2017 |
Customer Notified Date | 10/2/2017 |
Patch |
CVE-2017-14869
CVE ID | CVE-2017-14869 |
Title | Information Exposure in Boot |
Description | While performing update of FOTA partition, uninitialized data can be pushed to storage. |
Technology Area | Boot |
Vulnerability Type | CWE-200 Information Exposure |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 5/27/2017 |
Customer Notified Date | 10/2/2017 |
Patch |
CVE-2017-14870
CVE ID | CVE-2017-14870 |
Title | Information Exposure in Boot |
Description | While updating the recovery message for eMMC devices, 1088 bytes of stack memory can potentially be leaked. |
Technology Area | Boot |
Vulnerability Type | CWE-200 Information Exposure |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 5/27/2017 |
Customer Notified Date | 10/2/2017 |
Patch |
CVE-2017-11066
CVE ID | CVE-2017-11066 |
Title | Buffer Copy without Checking Size of Input in Boot |
Description | While flashing ubi image an uninitialized memory could be accessed. |
Technology Area | Boot |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
Access Vector | Local |
Security Rating | High |
Date Reported | 4/27/2017 |
Customer Notified Date | 9/1/2017 |
Patch |
CVE-2017-15847
CVE ID | CVE-2017-15847 |
Title | Time-of-check Time-of-use (TOCTOU) Race Condition in Core |
Description | In the SPCom kernel driver, a race condition exists when creating a channel. |
Technology Area | Trusted Execution Environment |
Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 10/2/2017 |
Patch |
CVE-2017-15845
CVE ID | CVE-2017-15845 |
Title | Integer Underflow in WLAN |
Description | An invalid input of firmware size (negative value) from user space can potentially lead to the memory leak or buffer overflow during the WLAN cal data store operation. |
Technology Area | WLAN HOST |
Vulnerability Type | CWE-191 Integer Underflow (Wrap or Wraparound) |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 2/28/2017 |
Customer Notified Date | 10/2/2017 |
Patch |
CVE-2017-15848
CVE ID | CVE-2017-15848 |
Title | Buffer Copy Without Checking Size of Input (“Classic Buffer Overflow”) in Multimedia |
Description | In the fastrpc kernel driver, a buffer overflow vulnerability from userspace may potentially exist. |
Technology Area | DSP Service |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
Access Vector | Local |
Security Rating | High |
Date Reported | Internal |
Customer Notified Date | 10/2/2017 |
Patch |
CVE-2017-11081
CVE ID | CVE-2017-11081 |
Title | Buffer Copy without Checking Size of Input in WLAN |
Description | There is a potential buffer overflow vulnerability in hdd_parse_setrmcenable_command and hdd_parse_setrmcactionperiod_command APIs as buffers defined in this API can hold maximum 32 bytes but data more than 32 bytes can get copied. |
Technology Area | WLAN HOST |
Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 7/11/2017 |
Customer Notified Date | 10/2/2017 |
Patch |
CVE-2017-11080
CVE ID | CVE-2017-11080 |
Title | Configuration Vulnerability in Boot |
Description | While processing a user supplied sparse image, a buffer overflow vulnerability could occur if the sparse header block size is equal to 4294967296. |
Technology Area | Boot |
Vulnerability Type | CWE-16 Configuration |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 7/16/2017 |
Customer Notified Date | 10/2/2017 |
Patch |
CVE-2017-11079
CVE ID | CVE-2017-11079 |
Title | Information Exposure in Boot |
Description | While processing sparse image, uninitialized heap memory can potentially be flashed due to the lack of validation of sparse image block header size. |
Technology Area | Boot |
Vulnerability Type | CWE-200 Information Exposure |
Access Vector | Local |
Security Rating | Medium |
Date Reported | 7/16/2017 |
Customer Notified Date | 10/2/2017 |
Patch |
Industry Coordination
Security ratings of issues included in Android security bulletins and these bulletins match in the most common scenarios but may differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific scenarios that involves local denial of service or privilege escalation vulnerabilities in the high level OS kernel
Version History
Version | Date | Comments |
1.0 | January 25, 2018 | Bulletin Published |
1.1 | February 8, 2018 | Removed duplicate CVE |